Upgrade Holochain to 0.5.5

[lucksus]

Use new branch 0.5.5-coasys in our fork of Holochain

Summary by CodeRabbit

• Chores
  • Updated executor dependencies to newer forked releases (holochain and related packages) to align with upstream/coasys updates.
  • Upgraded CI Go toolchain and the holochain CLI version used in builds.
  • Standardized and refreshed the CI build image reference for consistency.
  • Improves build stability and security; no user-facing behavior changes.

[coderabbitai]

Walkthrough

Updated Rust dependencies in rust-executor/Cargo.toml (kitsune2_api and several holochain crates switched to coasys fork/versions) and CI configuration: .circleci/Dockerfile Go version and holochain_cli install version changed, and .circleci/config.yml now centralizes a Docker image digest via an ad4m_image anchor.

Changes

Cohort / File(s)	Summary
Rust dependency updates rust-executor/Cargo.toml	Upgraded kitsune2_api 0.1.9 → 0.1.15; switched holochain, holochain_cli_bundle, and holochain_types to coasys fork 0.5.5-coasys (branch change). Other deps (e.g., lair_keystore_api, sodoken) unchanged.
CI: Dockerfile toolchain & tooling .circleci/Dockerfile	Updated ENV GO_VERSION 1.22.0 → 1.24.6 and changed installed holochain_cli version from 0.5.2 → 0.5.5; remaining Dockerfile steps unchanged.
CI: shared image anchor .circleci/config.yml	Added ad4m_image anchor pointing to coasys/ad4m-ci-linux:latest@sha256:654fee9ee2a36fec192a4a08c611ef99d9ad57c6d1a4e5bd51d899871b908b03 and replaced explicit per-job image digests with *ad4m_image for three jobs.

Sequence Diagram(s)

(omitted — changes are dependency and CI configuration updates without new runtime control flow)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Upgrade Holochain to 0.5.4 #615 — Related updates to holochain-related crate versions and coasys fork references.
• Update to HC 0.5.3-rc0 #612 — Overlapping dependency edits for kitsune2_api and holochain crates.

Poem

I hopped to the toml with a cheerful twitch,
Bumped kitsune and holo, gave CI a switch. 🥕
Anchors set, versions climbed, all tidy and plump,
I wiggled my nose — commits in my jump!

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7160633 and 9e98f5f.

📒 Files selected for processing (2)

• .circleci/Dockerfile (2 hunks)
• .circleci/config.yml (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .circleci/Dockerfile
• .circleci/config.yml

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hc-0.5.5

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

rust-executor/Cargo.toml (2)

97-100: Upgrade looks good; ensure determinism by pinning git deps to a commit.

Targeting the coasys fork/branch is fine, but branches move. For reproducible builds (CI and releases), pin these three deps to a specific commit and optionally keep the branch for readability.

Apply this diff once you have the commit SHAs:

-holochain = { version = "0.5.5", features = ["test_utils", "default"], git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys" }
-holochain_cli_bundle = { version = "0.5.5", git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys" }
-holochain_types = { version = "0.5.5", git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys" }
+holochain = { version = "0.5.5", features = ["test_utils", "default"], git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys", rev = "<commit-sha>" }
+holochain_cli_bundle = { version = "0.5.5", git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys", rev = "<commit-sha>" }
+holochain_types = { version = "0.5.5", git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys", rev = "<commit-sha>" }

If you prefer, you can drop the explicit version when using a pinned rev, but keeping it helps feature unification when other crates reference the same semver.

---

98-98: Gate test_utils behind an opt-in feature.

Shipping features = ["test_utils", "default"] on holochain increases compile time, binary size, and risk of test-only APIs leaking into production. Make it opt-in.

Within this line, remove test_utils:

-holochain = { version = "0.5.5", features = ["test_utils", "default"], git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys" }
+holochain = { version = "0.5.5", features = ["default"], git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys" }

Then add a feature toggle elsewhere in Cargo.toml:

[features]
# existing features...
holochain-test-utils = ["holochain/test_utils"]

Enable --features holochain-test-utils only in tests or local tooling.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b052d73 and 0b34861.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• rust-executor/Cargo.toml (1 hunks)

🔇 Additional comments (2)

rust-executor/Cargo.toml (2)

97-100: Nice: targeted upgrade with minimal blast radius.

The constrained bump to the coasys 0.5.5 line and kitsune2_api is tight and should minimize churn elsewhere. Good job keeping the rest of the manifest stable.

---

97-100: Action Required: Manual Compatibility Verification for kitsune2_api and Holochain Fork

Due to sandbox limitations (no /proc/self/exe), we couldn’t run the compatibility checks automatically. Please perform the following in your local or CI environment to confirm there are no subtle version or source mismatches between:

• kitsune2_api = "0.1.15"
• kitsune_p2p_types = "0.5.0-dev.9"
• lair_keystore_api = "0.6.1-*"
• sodoken = "0.1.0"
• All holochain = { …, version = "0.5.5", git = "...", branch = "0.5.5-coasys" } crates

Run:

# Inspect feature-enabled dependency trees
cargo tree -i holochain_types -e features
cargo tree -i holochain -e features
cargo tree -i holochain_cli_bundle -e features

# Look for duplicate versions or sources of holochain* and kitsune* crates
cargo tree -d | rg -nP '^(holochain(_types|_cli_bundle)?|kitsune(_p2p_types|2_api)?)\b' -n -C1

# Verify locked SHAs for your git dependencies
cargo metadata --format-version=1 | jq '.packages[] | select(.source!=null) | {name, source}'

# Ensure the project compiles cleanly
cargo check
cargo check --features holochain-test-utils

If you spot any duplicate crate versions or sources, unify them via a [patch.crates-io] override in rust-executor/Cargo.toml to prevent subtle type or feature-flag mismatches.

[coderabbitai]

🛠️ Refactor suggestion

Avoid dual-source duplicates of Holochain crates; add a crates-io patch.

Since you point direct deps to a git source, any transitive dep still pulling holochain* from crates.io will cause two sources for the same crate name/version and potential type duplication. Use a global patch to force all holochain* crates to the fork.

Add this near your existing [patch.crates-io] section:

[patch.crates-io]
# keep existing entries like rusqlite...
holochain = { git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys" }
holochain_types = { git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys" }
holochain_cli_bundle = { git = "https://github.com/coasys/holochain.git", branch = "0.5.5-coasys" }

This ensures a single source for these crates across the entire dependency graph.

🤖 Prompt for AI Agents

In rust-executor/Cargo.toml around lines 97 to 100, you add direct git
dependencies for holochain crates which can conflict with crates.io-sourced
transitive deps; add entries to the existing [patch.crates-io] section to point
holochain, holochain_types, and holochain_cli_bundle to the same git repo/branch
so the resolver uses the fork everywhere and avoids duplicate crate sources and
type mismatches.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.circleci/Dockerfile (2)

36-38: Version mismatch: holochain_cli is pinned to 0.5.2 while upgrading to Holochain 0.5.5

Given the PR objective is to move to Holochain 0.5.5, the CLI should be aligned to avoid incompatibilities in local dev/CI flows.

Consider bumping and locking the install:

- RUN ~/.cargo/bin/cargo install holochain_cli@0.5.2
+RUN ~/.cargo/bin/cargo install --locked holochain_cli@0.5.5

If 0.5.5 is not yet published for the CLI, at minimum add a TODO and rationale here.

---

67-68: Non-interactive apt install may hang; add -y

This step can prompt in CI images. Add -y for non-interactive installs.

-RUN apt-get update && apt-get install psmisc
+RUN apt-get update && apt-get install -y psmisc

🧹 Nitpick comments (4)

.circleci/Dockerfile (3)

7-8: Unnecessary sudo under root and large dependency footprint

• You’re already USER root; sudo is unnecessary and can fail if absent.
• Consider --no-install-recommends to slim the image.

-RUN apt-get update && sudo apt-get install -y \
-    libgtk-3-dev webkit2gtk-4.0 libappindicator3-dev librsvg2-dev patchelf protobuf-compiler cmake gobjc clang gnustep-devel libobjc4 libgnustep-base-dev libasound2-dev pkg-config fuse libfuse2 mesa-utils mesa-vulkan-drivers
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libgtk-3-dev webkit2gtk-4.0 libappindicator3-dev librsvg2-dev patchelf protobuf-compiler cmake gobjc clang gnustep-devel libobjc4 libgnustep-base-dev libasound2-dev pkg-config fuse libfuse2 mesa-utils mesa-vulkan-drivers \
+  && rm -rf /var/lib/apt/lists/*

---

51-51: Pin pnpm version to match CI and ensure reproducibility

integration-tests-js job installs pnpm@9.15.0. Pin here too to avoid cross-env inconsistencies.

-RUN npm install -g pnpm
+RUN npm install -g pnpm@9.15.0

---

21-21: Node 18.x is EOL; consider moving to Node 20 LTS

Node 18 reached end-of-life in 2025. Unless constrained, prefer Node 20 LTS for security updates.

-RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - && apt-get install -y nodejs
+RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && apt-get install -y nodejs

.circleci/config.yml (1)

8-13: Minor: Orbs defined but not used

You define node/go/rust orbs but the jobs run entirely inside Docker images and don’t use orb executors/commands. Consider removing unused orbs to reduce config noise.

-orbs:
-  node: circleci/node@5.2.0
-  go: circleci/go@1.10.0
-  rust: circleci/rust@1.6.1
+orbs: {}

If you intend to use them later, ignore this.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 32a910a and 7160633.

📒 Files selected for processing (2)

• .circleci/Dockerfile (1 hunks)
• .circleci/config.yml (1 hunks)

🔇 Additional comments (2)

.circleci/Dockerfile (1)

32-35: Confirm Rust 1.86 is safe for Holochain 0.5.5

Holochain 0.5.5 does not pin a minimum Rust version in its Cargo.toml (no rust-version field) nor provide a rust-toolchain(.toml) file. By design, it builds on the stable Rust channel, which guarantees backward compatibility. Therefore installing and using Rust 1.86 (or any newer stable release) will compile Holochain 0.5.5 without issue, and no change to the Dockerfile is required.

.circleci/config.yml (1)

121-124: It looks like the cache-restore path and cache-save path reference two different directories—bootstrap-languages/file-storage/hc-dna vs. bootstrap-languages/file-storage-language/hc-dna. Because “target” folders aren’t checked into Git, my scan didn’t turn up any results.

Please verify which directory actually exists in your repo by running something like:

# List top-level language directories
ls -1 bootstrap-languages

# Or directly check for both candidates:
[ -d bootstrap-languages/file-storage/hc-dna ] && echo "file-storage exists"
[ -d bootstrap-languages/file-storage-language/hc-dna ] && echo "file-storage-language exists"

Once you know the correct path, you can align the restore_cache and save_cache entries so they match.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Go 1.24 bump: verify availability and add checksum verification for the tarball

• Ensure Go 1.24.0 is GA and available on go.dev for linux-amd64.
• Add SHA256 verification to harden supply chain security.

Run this to confirm 1.24.0 exists and capture its SHA256:

Apply checksum verification:

 ENV GO_VERSION 1.24.0
-RUN wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz -O go.tar.gz \
-    && tar -C /usr/local -xzf go.tar.gz \
-    && rm go.tar.gz
+RUN wget -q https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz -O /tmp/go.tar.gz \
+    && wget -q https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz.sha256 -O /tmp/go.tar.gz.sha256 \
+    && sha256sum -c /tmp/go.tar.gz.sha256 \
+    && tar -C /usr/local -xzf /tmp/go.tar.gz \
+    && rm /tmp/go.tar.gz /tmp/go.tar.gz.sha256

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
curl -fsSL https://go.dev/dl/?mode=json | jq -r '.[] | select(.version=="go1.24.0") | .files[] | select(.os=="linux" and .arch=="amd64" and .kind=="archive") | .sha256, .filename'

Length of output: 203

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# List all Go 1.24.x versions available in the JSON feed
curl -fsSL https://go.dev/dl/?mode=json \
  | jq -r '.[].version' \
  | grep '^go1\.24'

Length of output: 112

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Fetch SHA256 checksum and filename for Go 1.24.6 linux-amd64 archive
curl -fsSL https://go.dev/dl/?mode=json \
  | jq -r '.[] 
      | select(.version=="go1.24.6") 
      | .files[] 
      | select(.os=="linux" and .arch=="amd64" and .kind=="archive") 
      | .sha256, .filename'

Length of output: 324

---

Update Go bump to 1.24.6 and add SHA256 verification

• The 1.24.0 release is not published; the latest Go 1.24.x GA is 1.24.6, with archive go1.24.6.linux-amd64.tar.gz and SHA256 checksum bbca37cc395c974ffa4893ee35819ad23ebb27426df87af92e93a9ec66ef8712.
• Update the Dockerfile to use GO_VERSION 1.24.6 and verify the download’s integrity before extraction.

Pointers for .circleci/Dockerfile (around lines 11–14):

- ENV GO_VERSION 1.24.0
+ ENV GO_VERSION 1.24.6

 RUN wget -q https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz -O /tmp/go.tar.gz \
-    && tar -C /usr/local -xzf go.tar.gz \
-    && rm go.tar.gz
+    && wget -q https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz.sha256 -O /tmp/go.tar.gz.sha256 \
+    && sha256sum -c /tmp/go.tar.gz.sha256 \
+    && tar -C /usr/local -xzf /tmp/go.tar.gz \
+    && rm /tmp/go.tar.gz /tmp/go.tar.gz.sha256

This ensures you’re pulling a valid Go release and hardens supply-chain security by validating the checksum before installation.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ENV GO_VERSION 1.24.0
	RUN wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz -O go.tar.gz \
	&& tar -C /usr/local -xzf go.tar.gz \
	&& rm go.tar.gz
	ENV GO_VERSION 1.24.6
	RUN wget -q https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz -O /tmp/go.tar.gz \
	&& wget -q https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz.sha256 -O /tmp/go.tar.gz.sha256 \
	&& sha256sum -c /tmp/go.tar.gz.sha256 \
	&& tar -C /usr/local -xzf /tmp/go.tar.gz \
	&& rm /tmp/go.tar.gz /tmp/go.tar.gz.sha256

🤖 Prompt for AI Agents

In .circleci/Dockerfile around lines 11 to 14, update GO_VERSION to 1.24.6 and
change the download to the published archive name (go1.24.6.linux-amd64.tar.gz),
then verify the SHA256 before extracting using the provided checksum
bbca37cc395c974ffa4893ee35819ad23ebb27426df87af92e93a9ec66ef8712; implement a
check that computes the sha256 of the downloaded file and fails the build if it
does not match, only extracting and removing the tarball after successful
verification.